'\" et
.TH SETUID "3P" 2017 "IEEE/The Open Group" "POSIX Programmer's Manual"
.\"
.SH PROLOG
This manual page is part of the POSIX Programmer's Manual.
The Linux implementation of this interface may differ (consult
the corresponding Linux manual page for details of Linux behavior),
or the interface may not be implemented on Linux.
.\"
.SH NAME
setuid
\(em set user ID
.SH SYNOPSIS
.LP
.nf
#include <unistd.h>
.P
int setuid(uid_t \fIuid\fP);
.fi
.SH DESCRIPTION
If the process has appropriate privileges,
\fIsetuid\fR()
shall set the real user ID, effective user ID, and the saved
set-user-ID of the calling process to
.IR uid .
.P
If the process does not have appropriate privileges, but
.IR uid
is equal to the real user ID or the saved set-user-ID,
\fIsetuid\fR()
shall set the effective user ID to
.IR uid ;
the real user ID and saved set-user-ID shall remain unchanged.
.P
The
\fIsetuid\fR()
function shall not affect the supplementary group list in any way.
.SH "RETURN VALUE"
Upon successful completion, 0 shall be returned. Otherwise, \-1
shall be returned and
.IR errno
set to indicate the error.
.SH ERRORS
The
\fIsetuid\fR()
function shall fail, return \-1, and set
.IR errno
to the corresponding value if one or more of the following are true:
.TP
.BR EINVAL
The value of the
.IR uid
argument is invalid and not supported by the implementation.
.TP
.BR EPERM
The process does not have appropriate privileges and
.IR uid
does not match the real user ID or the saved set-user-ID.
.LP
.IR "The following sections are informative."
.SH EXAMPLES
None.
.SH "APPLICATION USAGE"
None.
.SH RATIONALE
The various behaviors of the
\fIsetuid\fR()
and
\fIsetgid\fR()
functions when called by non-privileged processes reflect the behavior
of different historical implementations. For portability, it is
recommended that new non-privileged applications use the
\fIseteuid\fR()
and
\fIsetegid\fR()
functions instead.
.P
The saved set-user-ID capability allows a program to regain the
effective user ID established at the last
.IR exec
call. Similarly, the saved set-group-ID capability allows a program to
regain the effective group ID established at the last
.IR exec
call. These capabilities are derived from System V. Without them, a
program might have to run as superuser in order to perform the same
functions, because superuser can write on the user's files. This is a
problem because such a program can write on any user's files, and so
must be carefully written to emulate the permissions of the calling
process properly. In System V, these capabilities have traditionally
been implemented only via the
\fIsetuid\fR()
and
\fIsetgid\fR()
functions for non-privileged processes. The fact that the behavior of
those functions was different for privileged processes made them
difficult to use. The POSIX.1\(hy1990 standard defined the
\fIsetuid\fR()
function to behave differently for privileged and unprivileged users.
When the caller had appropriate privileges, the function set the real
user ID, effective user ID, and saved set-user ID of the calling process
on implementations that supported it. When the caller did not have
appropriate privileges, the function set only the effective user ID,
subject to permission checks. The former use is generally needed for
utilities like
.IR login
and
.IR su ,
which are not conforming applications and thus outside the scope of
POSIX.1\(hy2008. These utilities wish to change the user ID irrevocably to a new
value, generally that of an unprivileged user. The latter use is needed
for conforming applications that are installed with the set-user-ID bit
and need to perform operations using the real user ID.
.P
POSIX.1\(hy2008 augments the latter functionality with a mandatory feature named
_POSIX_SAVED_IDS. This feature permits a set-user-ID application to
switch its effective user ID back and forth between the values of its
.IR exec -time
real user ID and effective user ID. Unfortunately, the POSIX.1\(hy1990 standard did not
permit a conforming application using this feature to work properly when
it happened to be executed with (implementation-defined)
appropriate privileges. Furthermore, the application did not even have a
means to tell whether it had this privilege. Since the saved
set-user-ID feature is quite desirable for applications, as evidenced
by the fact that NIST required it in FIPS 151\(hy2, it has been mandated by
POSIX.1\(hy2008. However, there are implementors who have been reluctant to
support it given the limitation described above.
.P
The 4.3BSD system handles the problem by supporting separate
functions:
\fIsetuid\fR()
(which always sets both the real and effective user IDs, like
\fIsetuid\fR()
in POSIX.1\(hy2008 for privileged users), and
\fIseteuid\fR()
(which always sets just the effective user ID, like
\fIsetuid\fR()
in POSIX.1\(hy2008 for non-privileged users). This separation of functionality
into distinct functions seems desirable. 4.3BSD does not support the
saved set-user-ID feature. It supports similar functionality of
switching the effective user ID back and forth via
\fIsetreuid\fR(),
which permits reversing the real and effective user IDs. This model
seems less desirable than the saved set-user-ID because the real user
ID changes as a side-effect. The current 4.4BSD includes saved
effective IDs and uses them for
\fIseteuid\fR()
and
\fIsetegid\fR()
as described above. The
\fIsetreuid\fR()
and
\fIsetregid\fR()
functions will be deprecated or removed.
.P
The solution here is:
.IP " *" 4
Require that all implementations support the functionality of the saved
set-user-ID, which is set by the
.IR exec
functions and by privileged calls to
\fIsetuid\fR().
.IP " *" 4
Add the
\fIseteuid\fR()
and
\fIsetegid\fR()
functions as portable alternatives to
\fIsetuid\fR()
and
\fIsetgid\fR()
for non-privileged and privileged processes.
.P
Historical systems have provided two mechanisms for a set-user-ID
process to change its effective user ID to be the same as its real user
ID in such a way that it could return to the original effective user
ID: the use of the
\fIsetuid\fR()
function in the presence of a saved set-user-ID, or the use of the BSD
\fIsetreuid\fR()
function, which was able to swap the real and effective user IDs. The
changes included in POSIX.1\(hy2008 provide a new mechanism using
\fIseteuid\fR()
in conjunction with a saved set-user-ID. Thus, all implementations with
the new
\fIseteuid\fR()
mechanism will have a saved set-user-ID for each process, and most of
the behavior controlled by _POSIX_SAVED_IDS has been changed
to agree with the case where the option was defined. The
\fIkill\fR()
function is an exception. Implementors of the new
\fIseteuid\fR()
mechanism will generally be required to maintain compatibility with the
older mechanisms previously supported by their systems. However,
compatibility with this use of
\fIsetreuid\fR()
and with the _POSIX_SAVED_IDS behavior of
\fIkill\fR()
is unfortunately complicated. If an implementation with a saved
set-user-ID allows a process to use
\fIsetreuid\fR()
to swap its real and effective user IDs, but were to leave the saved
set-user-ID unmodified, the process would then have an effective user
ID equal to the original real user ID, and both real and saved
set-user-ID would be equal to the original effective user ID. In that
state, the real user would be unable to kill the process, even though
the effective user ID of the process matches that of the real user, if
the
\fIkill\fR()
behavior of _POSIX_SAVED_IDS was used. This is obviously not
acceptable. The alternative choice, which is used in at least one
implementation, is to change the saved set-user-ID to the effective
user ID during most calls to
\fIsetreuid\fR().
The standard developers considered that alternative to be less correct
than the retention of the old behavior of
\fIkill\fR()
in such systems. Current conforming applications shall accommodate
either behavior from
\fIkill\fR(),
and there appears to be no strong reason for
\fIkill\fR()
to check the saved set-user-ID rather than the effective user ID.
.SH "FUTURE DIRECTIONS"
None.
.SH "SEE ALSO"
.IR "\fIexec\fR\^",
.IR "\fIgetegid\fR\^(\|)",
.IR "\fIgeteuid\fR\^(\|)",
.IR "\fIgetgid\fR\^(\|)",
.IR "\fIgetuid\fR\^(\|)",
.IR "\fIsetegid\fR\^(\|)",
.IR "\fIseteuid\fR\^(\|)",
.IR "\fIsetgid\fR\^(\|)",
.IR "\fIsetregid\fR\^(\|)",
.IR "\fIsetreuid\fR\^(\|)"
.P
The Base Definitions volume of POSIX.1\(hy2017,
.IR "\fB<sys_types.h>\fP",
.IR "\fB<unistd.h>\fP"
.\"
.SH COPYRIGHT
Portions of this text are reprinted and reproduced in electronic form
from IEEE Std 1003.1-2017, Standard for Information Technology
-- Portable Operating System Interface (POSIX), The Open Group Base
Specifications Issue 7, 2018 Edition,
Copyright (C) 2018 by the Institute of
Electrical and Electronics Engineers, Inc and The Open Group.
In the event of any discrepancy between this version and the original IEEE and
The Open Group Standard, the original IEEE and The Open Group Standard
is the referee document. The original Standard can be obtained online at
http://www.opengroup.org/unix/online.html .
.PP
Any typographical or formatting errors that appear
in this page are most likely
to have been introduced during the conversion of the source files to
man page format. To report such errors, see
https://www.kernel.org/doc/man-pages/reporting_bugs.html .
